Forescout Vedere Labs has discovered a set of 61 vulnerabilities affecting devices from 13 operational technology (OT) vendors caused by insecure-by-design practices in OT. The affected products are known to be prevalent in industries such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation.
Forescout Vedere Labs has discovered a set of 61 vulnerabilities affecting devices from 13 operational technology (OT) vendors caused by insecure-by-design practices in OT. The affected products are known to be prevalent in industries such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation. Many of these products are sold as “secure by design” or have been certified with OT security standards
Vulnerabilities
Device Models
Device Manufacturers Affected
The vulnerabilities are divided into four main categories: insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware updates and remote code execution via native functionality.
Exactly one year after the original disclosure, we concluded OT:ICEFALL with these three insights into the state of OT product security:
With OT:ICEFALL, we wanted to disclose and provide a quantitative overview of OT insecure-by-design vulnerabilities rather than rely on the periodic bursts of CVEs for a single product or a small set of public, real-world incidents that are often brushed off as a particular vendor or asset owner being at fault. These issues range from persistent insecure-by-design practices in security-certified products to subpar attempts to move away from them. The goal is to illustrate how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them and the often-false sense of security offered by certifications significantly complicate OT risk management efforts.
It has been 10 years since Project Basecamp, a research project conducted by Digital Bond that investigated how critical OT devices and protocols were, to use the term they coined, “insecure by design.” Icefall is the name of the second stop on the Everest route, after Base Camp. Given the rising number of OT vulnerability disclosures, we know we have a mountain to climb to secure these devices and protocols.
Implementing mitigation for OT:ICEFALL requires:
The Forescout Platform helps you achieve all of these steps without disrupting critical business processes or requiring operational downtime. Forescout’s eyeInspect product has native monitoring capabilities for the protocols used by the affected devices and built-in detection for exploitation of OT:ICEFALL vulnerabilities. Customers should update to the latest eyeInspect release to make full use of our industrial threat library updated monthly, and ICS-specific IOC and CVEs.
As part of the OT:ICEFALL disclosure, Forescout provided the cybersecurity community with a technical report in which we discuss the 56 vulnerabilities, their impact and their mitigation in detail, as well as the insecure-by-design debate, the effect of opacity on risk management, industry-specific attack scenarios and more.
